Overview:
A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: That a consumer has the right to request the specific pieces of personal information it has collected about that consumer.
Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
5) Train employees on the handling of access requests.
6) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
7) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
8) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.
Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
4) List of third parties with whom consumer personal data is shared with, and why.
Additional Guidance:
Whether or not information has been "collected" triggers a number of CCPA requirements. Here the CCPA adopts a broad definition.
Collection of Personal Information
Collection is defined as "buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a Consumer by any means." Collecting also includes receiving information from a Consumer "either actively or passively, or by observing the consumer's behavior."
Sale of Personal Information
A "sale" of Personal Information under the CCPA is defined broadly to include the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means" the Personal Information of a Consumer to another business or third party "for monetary or other valuable consideration."
This broad definition suggests that if Personal Information is provided as part of a larger business relationship, a "sale" may have occurred even if no amounts are paid directly for the data itself. In addition, a website may be "selling" Personal Information by passing such information to third-party ad networks through cookies.
Exceptions
The CCPA outlines certain exceptions to what would be deemed a sale, including when:
1) A Consumer uses or directs the Business to intentionally disclose Personal Information to a third party. An "intentional" interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a "deliberate action". 2) A Business shares a Consumer identifier to alert a third party of a Consumer's opt-out decision.
3) Personal Information is shared with a third party to perform a "business purpose" (explained below) and: the Business has provided notice of this sharing and the opt-out right; and the third party does not further collect, sell or use the Personal Information except as necessary to perform the business purpose.
4) The Personal Information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Business, provided the Business complies with the CCPA disclosure requirements relating to the disclosure of information collected or sold (discussed below). If the acquirer plans to alter how it will use or share the Personal Information in a manner materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new practices to the Consumer and include a "prominent and robust" notice so the Consumer can opt out. Note that the CCPA also warns Businesses that material, retroactive privacy policy changes must not violate California's Unfair Competition Law — a statement apparently designed to address Businesses that want to make significant changes to a privacy policy in light of an impending deal.
Personal Information
Personal Information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household:
1) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number or other similar identifiers.
2) Signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, employment, employment history, bank account number, credit card number, debit card number or any other financial information, medical information or health insurance information.
3) Characteristics of protected classifications under California or federal law.
4) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
5) Biometric information
6) Internet or other electronic network activity information, including, but not limited to, browsing history, search history and information regarding a consumer's interaction with an internet website, app or advertisement.
7) Geolocation data
8) Audio, electronic, visual, thermal, olfactory or similar information.
9) Professional or employment-related information.
10) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.
11) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Exceptions to the Personal Information Definition
1) Information that is publicly available (i.e., lawfully made available from federal, state or local government records) is not covered by the CCPA provided the use is compatible with the purpose for which the data is maintained and made available in the government records. Biometric information collected about a Consumer without the Consumer's knowledge is not deemed "publicly available." 2) Deidentified Public Information - "Deidentified" means information that cannot reasonably identify, relate to, describe, be capable of being associated with or be linked, directly or indirectly, to a particular Consumer, provided that a Business that uses deidentified information (i) has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, (ii) has implemented business processes that specifically prohibit reidentification of the information, (iii) has implemented business processes to prevent inadvertent release of deidentified information, and (iv) makes no attempt to reidentify the information. The challenge for many Businesses will be determining whether information cannot reasonably "be capable of" being associated with a particular Consumer, directly or indirectly, particularly at a time when advances in data analytics are making it easier to recreate an individual's identity from disparate data elements. 3) Aggregate Consumer Information - "Aggregate consumer information" is defined as information that relates to a group or category of Consumers, from which individual Consumer identities have been removed, and that is not linked or reasonably linkable to any Consumer or household, including via a device.
Article ID: 5
Created: September 24, 2022
Last Updated: September 24, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/ccpa-right-to-disclose-specific-pieces-of-information-collected-110-a-5-5.html